Having played both the attacker and defender role for many years something I have often seen and even done myself is make statements and assumptions about the "sophistication" of my adversary.Often when some big hack occurs, blogs, media stories and quotes from experts will espouse opinions that "the attacker was not very sophisticated" or "it was an extremely sophisticated attack". I believe that often times, and I myself have been guilty of this, these assertions are the result of a wrong headed analysis and misunderstanding of what sophistication means in the context of computer attacks.An example will help illustrate the point. I have heard stuxnet labeled both sophisticated and unsophisticated. One might be tempted to point to the inclusion of 4 0days as proving that highly skilled attackers launched this attack. Well 0days can be bought. Others might say; well the way it was caught and the fact that it could infect more than it's presumed target means the attackers weren't very good. Even the most well developed attacks get caught eventually. (See the device the Russians implanted in the Great Seal 60 years ago)A truly sophisticated attacker will use only what is necessary and cost effective to achieve their goals and no more. An even better attacker will attempt to convince you they are not very good and waste as much of your time as possible while still achieving the goal.I would put forth the idea that the determination of sophistication be based on the following:Did the attacker achieve their goals?Let us assume further that these goals consist of:1.) Gaining unauthorized access to one or more of your systemsIf they achieve #1 then they have already proven to be more sophisticated than your first line of defensive / prevention system as well as your user awareness and training program.To speak of the attacker as unsophisticated because they used an automated SQL injection tool or basic phishing email is silly because you have no idea how good they are based soley on the penetration mechanism and they are already more sophisticated than your ability to stop them.2.) Evasion of detection, at least for the period of time required to complete some goalsIf they have a shell on one of your systems, and nothing detects, alerts or responds, then the attacker is more sophisticated than your SIM implementation, IDS and first line analysts at least from the detection during initial attack standpoint. The fact that they used XOR vs full SSL to protect network communications from detection is irrelevant and gives you no clue as to how good they are.3.) Access to and/or exfiltration of sensitive dataIf the attacker has been able to take the data they are targeting then they have overcome your internal controls, ACLs and data protection. It matters not if they used a zip file or steganography to package the data.4.) PersistenceIf the attacker can persist with unauthorized access on your system for any period of time then they have outsmarted your defensive team, your secure configuration management and basically all your defenses. It doesn't matter if their method of persistence is a simple userland executable launched from the Run key in the registry or a highly stealthy kernel driver, they won that round.5.) EffectIf they can cause a real world effect such as blowing up your centrifuges, gaining a competitive advantage, or spending your money then that is the final nail in your coffin. They are more sophisticated than you are, regardless of what type of exploit they used, if it was a 10 year old PERL CGI bug or one that uses memory tai chi to elegantly overcome windows 7 buffer overflow protection. Lets think about this for a minute. Think of all the money, time, resources and personel you have expended on perimeter defense, detection and alerting, and analytical teams. Think of the work involved at the vendors who have developed all of the products and appliances you have purchased. The PHDs at AV vendors designing heuristics, the smart guys and girls developing exploits and signatures at your favorite IDS company. The awesome hax0rs at the pen test company you just hired. The often millions of dollars spent on defense.All of this and the attacker has subverted it, maybe with a month of work, maybe less, and considerably less funding in most cases. So who is the sophisticated one?The only place you might have won is in the forensics post-event department, usually the least funded and most resource starved component of your program. This is usually where the determination is made that the attacker was not very sophisticated because it was possible to reverse engineer the attack and understand the tools and techniques used. That's great but just because you an understand that an assasin used a rock to kill a VIP doesn't mean the assasin sucks if they got away from the highly skilled protection detail, the target is dead, and their identity remains unknown.So pause for a moment before you label an attacker unsophisticated or a skript kiddie. Ask yourself, did they achieve the above mentioned goas? If so then they outsmarted you.V.

All too often, we at Attack Research have found that students are not being taught, or are not allowed, to properly perform real-world scenarios. For example, they want to run vulnerability scanners on penetration tests! When we say they are not allowed to perform real-world scenarios, some would say it’s the government or the company that doesn't want the real-world scenario. This might be very true, but those governments and companies received the understanding somewhere that running vulnerability scanners on a penetration test was a good idea, and this understanding came through some form of education. Think of network security back in the late 90's to early 2000's: Real-world attacks really did combine scanning for a vulnerability and then exploiting it. Sasser came along and changed the game, and we then had firewalls, improvements in host configurations, etc. In the early 2000's, we started to see what we currently recognize as training in the industry. This training was based upon the attacks in that time period. Well, the evolution of attack has changed, and so has the defense.

Don't get me wrong; the training industry has also evolved, but not at the rate it did when it first started back in the late 90's and 2000's. Back then, there really wasn't a standard for delivering attack-based training. We have certainly had our fair share of standards since then, but when there is no set standard, it is easier to create a new one than it is to change the current one. Well, it’s time to change that!Classes at Attack Research are designed to help students with real-world problems. We hope to work at a grass roots level and a management level to change the way governments and companies approach network security. This is why our classes are designed to teach technical-level, real-world content. Not only from an offensive perspective but a defensive one as well. Students will come out of our classes ready to use the skills they learned. They will learn not only how a certain tool is used but the fundamentals behind it so that when they have differing results from the tools, they will know how to handle it or, better yet, they will not use the tool and write their own!

We are proud to announce that Attack Research will be at a number of conferences and locations in 2013. Last week, we announced our partnership with Trail of Bits to offer training in the New York City area in January, April, and June.

Along with our annual training at Black Hat Las Vegas, we have joined with Source Conference to provide training at all their conferences. At Source Boston, we will be offering a 2-day version of our Offensive Techniques training. We will also be at BruCON in September!

Attack Research can transport any of its classes around the world or at your own company. If you are interested in private trainings, please drop us a line at training@attackresearch.com

Starting in 2013, we will hold trainings at Attack Research headquarters in New Mexico, where we will be offering reduced rates for all classes. The majority of our classes will be offered at this location, and they are scheduled to begin January 29-30. We will debut our brand new class, Operational Post Exploitation. You can register for this class here.

Our list of available classes is:

Offensive Techniques – Offensive Techniques offers students the opportunity to learn real offensive cyber-operation techniques. The focus is on recon, target profiling and modeling, and exploitation of trust relationships. The class will teach students non-traditional methods that follow closely what advanced adversaries do, rather than compliance-based penetration testing, and will also teach students how to break into computers without using exploits.

Operational Post-Exploitation – This class explores what to do after a successful penetration into a target, including introducing vulnerabilities rather than back doors for persistence. Operational Post-Exploitation covers such techniques as data acquisition, persistence, stealth, and password management on many different operating systems and using several scenarios.

Rapid Reverse Engineering – Rapid Reverse Engineering is a must these days with APT-style attacks and advanced adversaries. This class combines deep reverse engineering subjects with basic rapid triage techniques to provide students with a broad capability when performing malware analysis. This course will take the student from 0 to 60, focusing on learning the tools and key techniques of the trade for rapidly reverse engineering files. Students will understand how to assess rapidly all types of files.

Attacking Windows — Attacking Windows is Attack Research’s unique approach to actually securing Windows. Students will become proficient in attacking Windows systems, learning the commands that are available to help move around systems and data, and examining and employing logging and detection. It will also cover authentication mechanisms, password storage and cracking, tokens, and the domain model. Once finished with this course, students will have a foundation on how attack models on Windows actually happen and how to secure against them.Attacking Unix — Attacking Unix is Attack Research’s unique approach to actually securing Unix. Students will become proficient in attacking Unix systems, focusing mostly on Linux, Solaris and FreeBSD. SSH, Kerberos, kernel modules, file sharing, privilege escalation, home directories, and logging all will be covered in depth. Once finished with this course, students will have a foundation on how attack models on Unix actually happen and how to secure against them.Web Exploitation — The web is one of the most prevalent vectors of choice when attacking targets because websites reside outside the firewall. Web Exploitation will teach the basics in SQL injection, CGI exploits, content management systems, PHP, asp, and other back doors, as well as the mechanics of exploiting web servers.

MetaPhishing – MetaPhishing is a class designed to teach the black arts for targeted phishing operations, file format reverse engineering and infection, and non-attributable command and control systems. Once completing this class, students will have a solid foundation for all situations of phishing.

Basic Exploit Development — In order to use the tools, one must have an understanding of the basics of how they work. Basic Exploit Development will cover the step-by-step basics, tools, and methods for utilizing buffer/heap overflows on Windows and Unix.

This full listing is available on our website as well under the services/training section. Along with each class, there is a place to allow for notification of when the class will be offered next, either at Attack Research HQ or at a different location.

I will be releasing some example modules from some of our classes over the next few weeks so you can get a feel for what we are offering. If you have any questions, please don't hesitate to contact us at training@attackresearch.com

Authors: Stephen LewisTags: embeddedEvent: Chaos Communication Congress 21th (21C3) 2004Abstract: Although attacking embedded devices is not a new idea, little work has been done on using these devices for attack. Here I present work on the insertion of custom code into a network switch in order to carry out attacks on a network. The use of embedded devices present on a network as a vector for attacks against endstations is a threat that has not yet been realized, despite the knowledge of a number of vulnerabilities affecting such devices. This is probably due to the resistance of such devices to reverse engineering: they frequently run custom operating systems on obscure architectures.

Authors: David PerezJose PicoTags: GSMphoneEvent: Black Hat DC 2011Abstract: In this presentation we will show a practical attack against GPRS, EDGE, UMTS and HSPA (2G/3G) mobile data communications. We will demonstrate that an attacker with a budget of less than $10,000 can set up a rogue BTS, make the victim devices connect to such BTS, and gain full control over the victim's data communications. Two vulnerabilities make the attack possible: first, the absence of mutual authentication in GPRS and EDGE (2G), which makes GPRS and EDGE devices completely vulnerable to this attack, and second, the mechanism implemented on most UMTS and HSPA (3G) devices that makes them fall back to GPRS and EDGE when UMTS or HSPA are not available, which makes it possible to extend the attack to these 3G devices.

Authors: David PerezJose PicoTags: GSMphoneEvent: Black Hat DC 2011Abstract: In this presentation we will show a practical attack against GPRS, EDGE, UMTS and HSPA (2G/3G) mobile data communications. We will demonstrate that an attacker with a budget of less than $10,000 can set up a rogue BTS, make the victim devices connect to such BTS, and gain full control over the victim's data communications. Two vulnerabilities make the attack possible: first, the absence of mutual authentication in GPRS and EDGE (2G), which makes GPRS and EDGE devices completely vulnerable to this attack, and second, the mechanism implemented on most UMTS and HSPA (3G) devices that makes them fall back to GPRS and EDGE when UMTS or HSPA are not available, which makes it possible to extend the attack to these 3G devices.

Authors: Dan KaminskyTags: cryptographyEvent: Chaos Communication Congress 21th (21C3) 2004Abstract: Joux and Wang’s multicollision attack has yielded collisions for several one-way hash algorithms. Of these, MD5 is the most problematic due to its heavy deployment, but there exists a perception that the flaws identified have no applied implications. We show that the appendability of Merkle-Damgard allows us to add any payload to the proof-of-concept hashes released by Wang et al. We then demonstrate a tool, Stripwire, that uses this capability to create two files – one which executes an arbitrary sequence of commands, the other which hides those commands with the strength of AES – both with the same MD5 hash. We show how this affects file-oriented system auditors such as Tripwire, but point out that the failure is nowhere near as catastrophic as it appears at first glance. We examine how this failure affects HMAC and Digital Signatures within Digital Rights Management (DRM) systems, and how the full attack expands into an unusual pseudosteganographic strikeback methodology against peer to peer networks.

Authors: Dan KaminskyTags: cryptographyEvent: Chaos Communication Congress 21th (21C3) 2004Abstract: Joux and Wang’s multicollision attack has yielded collisions for several one-way hash algorithms. Of these, MD5 is the most problematic due to its heavy deployment, but there exists a perception that the flaws identified have no applied implications. We show that the appendability of Merkle-Damgard allows us to add any payload to the proof-of-concept hashes released by Wang et al. We then demonstrate a tool, Stripwire, that uses this capability to create two files – one which executes an arbitrary sequence of commands, the other which hides those commands with the strength of AES – both with the same MD5 hash. We show how this affects file-oriented system auditors such as Tripwire, but point out that the failure is nowhere near as catastrophic as it appears at first glance. We examine how this failure affects HMAC and Digital Signatures within Digital Rights Management (DRM) systems, and how the full attack expands into an unusual pseudosteganographic strikeback methodology against peer to peer networks.

Authors: Dan KaminskyTags: cryptographyEvent: Chaos Communication Congress 21th (21C3) 2004Abstract: Joux and Wang’s multicollision attack has yielded collisions for several one-way hash algorithms. Of these, MD5 is the most problematic due to its heavy deployment, but there exists a perception that the flaws identified have no applied implications. We show that the appendability of Merkle-Damgard allows us to add any payload to the proof-of-concept hashes released by Wang et al. We then demonstrate a tool, Stripwire, that uses this capability to create two files – one which executes an arbitrary sequence of commands, the other which hides those commands with the strength of AES – both with the same MD5 hash. We show how this affects file-oriented system auditors such as Tripwire, but point out that the failure is nowhere near as catastrophic as it appears at first glance. We examine how this failure affects HMAC and Digital Signatures within Digital Rights Management (DRM) systems, and how the full attack expands into an unusual pseudosteganographic strikeback methodology against peer to peer networks.

Authors: Dan KaminskyTags: cryptographyEvent: Chaos Communication Congress 21th (21C3) 2004Abstract: Joux and Wang’s multicollision attack has yielded collisions for several one-way hash algorithms. Of these, MD5 is the most problematic due to its heavy deployment, but there exists a perception that the flaws identified have no applied implications. We show that the appendability of Merkle-Damgard allows us to add any payload to the proof-of-concept hashes released by Wang et al. We then demonstrate a tool, Stripwire, that uses this capability to create two files – one which executes an arbitrary sequence of commands, the other which hides those commands with the strength of AES – both with the same MD5 hash. We show how this affects file-oriented system auditors such as Tripwire, but point out that the failure is nowhere near as catastrophic as it appears at first glance. We examine how this failure affects HMAC and Digital Signatures within Digital Rights Management (DRM) systems, and how the full attack expands into an unusual pseudosteganographic strikeback methodology against peer to peer networks.

Authors: Adam LaurieMarcel HoltmannMartin HerfurtTags: bluetoothEvent: Chaos Communication Congress 22th (22C3) 2005Abstract: This talk will provide an overview of all currently know Bluetooth exploits, as well as live demonstrations, including Bluebugging, Snarfing, Dumping, PIN cracking and Car Whispering. Since the last trifinite group presentation at 21C3 a lot has happened in the Bluetooth hacking world. New vulnerabilities have come to light, including some that, unlike previous issues, attack the Bluetooth fundamentals themselves, such as pairing and cryptography. In addition to these, other new attacks such as BlueSmack, BlueSnarf++, BlueBump and Car Whisperer have been developed. In the rapidly expanding world of Bluetooth, it seems the opportunities for mischief abound, and this is a target rich environment for the White and Black Hat hacker alike. In this talk we will present live demonstations of tools such as Car Whisperer, which allows an attacker to connect to vehicle car kits and listen in to conversations via the microphone, and/or inject sound into the car speakers... Provide your own useful traffic bulletins! How often have you wanted to reach out and pass your compliments on the excellent manouver the guy in front of you just made? Now you can do all of that and more... In May, 2005 Shaked & Wool published a theoretical attack on the Bluetooth pairing process. In this talk we will show that the theory is a reality, and present the combined techniques of BlueDumping, BlueSpooofing and PIN cracking, leading to the all-new eavesdropping attack dubbed BlueDropping. This is a brand new attack, never seen in public before, and disclosed for the first time at 22C3. Using this technique, it is possible to monitor and record any and all data and/or voice traffic within a Bluetooth piconet. New tools such as BloooverII will also be released.

Authors: Adam LaurieMarcel HoltmannMartin HerfurtTags: bluetoothEvent: Chaos Communication Congress 22th (22C3) 2005Abstract: This talk will provide an overview of all currently know Bluetooth exploits, as well as live demonstrations, including Bluebugging, Snarfing, Dumping, PIN cracking and Car Whispering. Since the last trifinite group presentation at 21C3 a lot has happened in the Bluetooth hacking world. New vulnerabilities have come to light, including some that, unlike previous issues, attack the Bluetooth fundamentals themselves, such as pairing and cryptography. In addition to these, other new attacks such as BlueSmack, BlueSnarf++, BlueBump and Car Whisperer have been developed. In the rapidly expanding world of Bluetooth, it seems the opportunities for mischief abound, and this is a target rich environment for the White and Black Hat hacker alike. In this talk we will present live demonstations of tools such as Car Whisperer, which allows an attacker to connect to vehicle car kits and listen in to conversations via the microphone, and/or inject sound into the car speakers... Provide your own useful traffic bulletins! How often have you wanted to reach out and pass your compliments on the excellent manouver the guy in front of you just made? Now you can do all of that and more... In May, 2005 Shaked & Wool published a theoretical attack on the Bluetooth pairing process. In this talk we will show that the theory is a reality, and present the combined techniques of BlueDumping, BlueSpooofing and PIN cracking, leading to the all-new eavesdropping attack dubbed BlueDropping. This is a brand new attack, never seen in public before, and disclosed for the first time at 22C3. Using this technique, it is possible to monitor and record any and all data and/or voice traffic within a Bluetooth piconet. New tools such as BloooverII will also be released.

Authors: Adam LaurieMarcel HoltmannMartin HerfurtTags: bluetoothEvent: Chaos Communication Congress 22th (22C3) 2005Abstract: This talk will provide an overview of all currently know Bluetooth exploits, as well as live demonstrations, including Bluebugging, Snarfing, Dumping, PIN cracking and Car Whispering. Since the last trifinite group presentation at 21C3 a lot has happened in the Bluetooth hacking world. New vulnerabilities have come to light, including some that, unlike previous issues, attack the Bluetooth fundamentals themselves, such as pairing and cryptography. In addition to these, other new attacks such as BlueSmack, BlueSnarf++, BlueBump and Car Whisperer have been developed. In the rapidly expanding world of Bluetooth, it seems the opportunities for mischief abound, and this is a target rich environment for the White and Black Hat hacker alike. In this talk we will present live demonstations of tools such as Car Whisperer, which allows an attacker to connect to vehicle car kits and listen in to conversations via the microphone, and/or inject sound into the car speakers... Provide your own useful traffic bulletins! How often have you wanted to reach out and pass your compliments on the excellent manouver the guy in front of you just made? Now you can do all of that and more... In May, 2005 Shaked & Wool published a theoretical attack on the Bluetooth pairing process. In this talk we will show that the theory is a reality, and present the combined techniques of BlueDumping, BlueSpooofing and PIN cracking, leading to the all-new eavesdropping attack dubbed BlueDropping. This is a brand new attack, never seen in public before, and disclosed for the first time at 22C3. Using this technique, it is possible to monitor and record any and all data and/or voice traffic within a Bluetooth piconet. New tools such as BloooverII will also be released.

Today I wanted to talk a bit more about APTSim. We all know by now that the bad guys always get in. Especially determined, well funded and well equipped attackers. We know roughly HOW they are getting in which is usually via a targeted Phish, SQLinjection, malicious URL, etc. Things that are hard to defend against because they depend on a human element or trust partnerships between organizations.

What we don't think about is the fact that our Incident Response and detection teams don't get exercised sufficiently (or ever) which makes them much less effective than they could be. We also don't think about modeling and understanding what real attack traffic looks like so we can tune our defenses against it. REAL traffic, not Nessus scans or CoreImpact exploits.

How can we know that our people and systems are actually able to detect the types of attacks we really care about if we don't know what each attack looks like in every data source we have. Is there a windows event log entry reflecting a change in service permissions? Can the timing pattern in the call home beacon be seen in net flow? What does an exfil file hidden in the recycle bin via user SID look like, and is it visible?

If you know all the malicious inputs to the system ahead of time, then you can determine all the data sources you have that show indicators that something has happened, rather than waiting until an attack happens to attempt to track it all back and hope for the best.

This subject is a bit more tricky so lets approach it first with an example. Using HERMES, we analyzed some samples and activity from a group of APT actors that we call "UPS". The typical UPS attack performed the following activities (this information was compiled from IR activity and shared data from other victims):

Generate a particularly timed beacon that communicates over HTTP

Drop the command line Chinese language version of winrar on the target

Replace sticky keys with cmd.exe for persistence and access via RDP

Turn on RDP if it's not already enabled

Index and archive all office documents, compress and encrypt them with RAR and a specific password and store them in the recycle bin

Enable the support_388945a0 account and add it to the local admin group

Exfiltrate the data encoded over port 443 (but not SSL)

Setup an insecure service for persistence / privilege escalation

That is a fairly comprehensive list of attacker activity and each action generates either specific network traffic, log entries, and files on the target. So what we do with APTSim is to take all the above information and create a piece of pseudo-malware that takes the same actions, except in a safe and controlled manner, and includes cleanup components so it can be removed when the exercise is complete.

Customers have different preferences as to how we take the next step but generally one of a few options is commonly used:

AR has VPN access to the customer network

AR has shipped a special box which the customer plugs into their network

AR conducts a physical penetration to launch the APTSim via a malicious USB key, custom developed Teensy, or other hardware implanted in customer equipment

AR generates a targeted phish mirroring the initial vector used by the original actors whether that's a malicious attachment or a URL, etc.

The customer executes the APTSim model themselves

The APTSim model then connects back to our command & control center, takes all the same actions as the real attacker, exfiltrates data and then the customer is notified of what activity took place. The notification is a short document contains log entry examples, PCAP examples, time and dates, ports used, in short everything that is needed to detect the activity as well as track it back post event.

If the attack simulation is not detected then AR will assist you in tuning your defenses whether that means new rules for your Cisco ASA's, custom ClamAV or Snort signatures, specialized Splunk apps, etc.

Rather than a barely useful once a year event, this process is ongoing, monthly or as new attacks are found and analyzed. When one of the organizations in your business sector is hit, within a very short period of time you know the crucial details of the attack, are tested to see if it could hit you as well, and finally are ready to defend before the attackers come for you. This is being proactive rather than reactive.

Tags: malwareEvent: AVTokyo 2010Abstract: I had a chance to research on the web site which had been tampered caused by Drive-by-Download Attack, so called "Gumbler". This presentation will cover the trend of the attack, and consideration after all from that experience.

EMV, also known as "Chip and PIN", is the leading system for card payments world- wide. It is used throughout Europe and much of Asia, and is starting to be introduced in North America too. Payment cards contain a chip so they can execute an authentication protocol. This protocol requires point-of-sale (POS) terminals or ATMs to generate a nonce, called the unpredictable number, for each transaction to ensure it is fresh. The authors have discovered that some EMV implementers have merely used counters, timestamps or home-grown algorithms to supply this number. This exposes them to a "pre-play" attack which is indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and can be carried out even if it is impossible to clone a card physically (in the sense of extracting the key material and loading it into another card).

EMV, also known as "Chip and PIN", is the leading system for card payments world- wide. It is used throughout Europe and much of Asia, and is starting to be introduced in North America too. Payment cards contain a chip so they can execute an authentication protocol. This protocol requires point-of-sale (POS) terminals or ATMs to generate a nonce, called the unpredictable number, for each transaction to ensure it is fresh. The authors have discovered that some EMV implementers have merely used counters, timestamps or home-grown algorithms to supply this number. This exposes them to a "pre-play" attack which is indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and can be carried out even if it is impossible to clone a card physically (in the sense of extracting the key material and loading it into another card).

Authors: Erik TewsTags: WiFiEvent: Chaos Communication Camp 2007Abstract: WEP is the currently most used protocol for securing 802.11 networks, also called wireless lans or wlans. Recently, a new attack on WEP, the PTW attack, was discovered, which allows an attacker to recover the secret key in less than 60 seconds in some cases. WEP is the currently most used protocol for securing 802.11 networks, also called wireless lans or wlans. Recently, a new attack on WEP, the PTW attack, was discovered, which allows an attacker to recover the secret key in less than 60 seconds in some cases. We will explain how this attack works and how it can be appied to a real network. Furthermore, a passive version of the PTW attack has now been implemented, which allows an attacker to attack a network without the risk of beeing detected by an wireless IDS system. Additionally, we will present some other intresting attacks currently available in the aircrack-ng toolsuite. This includes the wesside-tool, which does wep-cracking fully automatically, and the easside-tool, which allows real-time-decryption of WEP-traffic without the secret key.

Authors: Erik TewsTags: WiFiEvent: Chaos Communication Camp 2007Abstract: WEP is the currently most used protocol for securing 802.11 networks, also called wireless lans or wlans. Recently, a new attack on WEP, the PTW attack, was discovered, which allows an attacker to recover the secret key in less than 60 seconds in some cases. WEP is the currently most used protocol for securing 802.11 networks, also called wireless lans or wlans. Recently, a new attack on WEP, the PTW attack, was discovered, which allows an attacker to recover the secret key in less than 60 seconds in some cases. We will explain how this attack works and how it can be appied to a real network. Furthermore, a passive version of the PTW attack has now been implemented, which allows an attacker to attack a network without the risk of beeing detected by an wireless IDS system. Additionally, we will present some other intresting attacks currently available in the aircrack-ng toolsuite. This includes the wesside-tool, which does wep-cracking fully automatically, and the easside-tool, which allows real-time-decryption of WEP-traffic without the secret key.

Tags: Rich Internet ApplicationsFlashEvent: Chaos Communication Camp 2007Abstract: Flash is used for so-called RIA quite a long time now. Many of us know that Flash is evil and can be used for bad and ugly things, but it was not too easy to audit Flash apps in the past. The lecture will start with an overview over the history of Flash/ActionScript, its capabilities and flaws. A deeper look into the object and security model as well as the variable handling will follow, including an analyze of common developer mistakes and how it is possible to exploit those. But Flash is also a powerful tool for filing attacks over the network. So a couple of possible attack examples such as request forging, network scanning or Flash based attack back channels will be explained. The talk includes a section where free tools for auditing will be introduced.

Tags: Rich Internet ApplicationsFlashEvent: Chaos Communication Camp 2007Abstract: Flash is used for so-called RIA quite a long time now. Many of us know that Flash is evil and can be used for bad and ugly things, but it was not too easy to audit Flash apps in the past. The lecture will start with an overview over the history of Flash/ActionScript, its capabilities and flaws. A deeper look into the object and security model as well as the variable handling will follow, including an analyze of common developer mistakes and how it is possible to exploit those. But Flash is also a powerful tool for filing attacks over the network. So a couple of possible attack examples such as request forging, network scanning or Flash based attack back channels will be explained. The talk includes a section where free tools for auditing will be introduced.

This document gives a brief practical insight on how to carry out a DNS-based phishing attack in public Wi-Fi hotspots to trick users into sharing their personal information such as passwords, credit card details etc.

This document gives a brief practical insight on how to carry out a DNS-based phishing attack in public Wi-Fi hotspots to trick users into sharing their personal information such as passwords, credit card details etc.

[Thice] discovered a vulnerability in encrypted portable storage a few years ago. He’s just pointing about the exploit now. He mentions that he notified manufacturers long ago and we’d guess the wait to publish is to give them a chance to patch the exploit. He calls it the Plug-Over Attack and for those who were [...]

Authors: Maarten Van HorenbeeckTags: trojanEvent: Chaos Communication Congress 24th (24C3) 2007Abstract: Targeted trojan attacks first attracted attention in early 2005, when the UK NISCC warned of their wide spread use in attacks on UK national infrastructure. Incidents such as "Titan Rain" and the compromise of US Department of State computer systems have increased their profile in the last two years. This presentation will consist of hard, technical information on attacks in the form of a case study of an actual attack ongoing since 2005. It covers exploitation techniques, draws general conclusions on attack methodologies and focuses on how to defend against the dark arts.

Authors: Felix 'FX' LindnerTags: exploitingCiscoEvent: Chaos Communication Congress 25th (25C3) 2008Abstract: The talk will cover the past, present and future of Cisco IOS hacking, defense and forensics. Starting from the historic attacks that still work on less well managed parts of the Internet, the powerful common bugs, the classes of binary vulnerabilities and how to exploit them down to the latest methods and techniques, this session will try to give everything in one bag.

Authors: Mathias PayerTags: exploitingEvent: Chaos Communication Congress 27th (27C3) 2010Abstract: Unsafe languages and an arms race for new bugs calls for an additional line of defense in software systems. User-space virtualization uses dynamic instrumentation to detect different attack vectors and protects from the execution of malicious code. An additional advantage of these virtualization systems is that they can be used to analyze different exploits step by step and to extract the exploit code from a running program. This talk explains the concept of different attack vectors (stack buffer overflows, format string attacks, return to libc attacks, race attacks / TOCTTOU, integer overflows, heap buffer overflows, and code anomalies). For each of these attack vectors we show possible exploits and explain how the virtualization system is able to detect and prevent the exploit. User-space virtualization uses a binary translation framework to instrument all running code. The instrumentation works like an additional virtualization layer and makes it possible to observe any changes to the runtime datastructures (code and data) of a running program. We use fastBT to instrument and analyze different exploitable programs. The added instrumentation detects changes in runtime layout and stops the program whenever exploit code is about to be executed. This talk presents different classes of exploits that can be observed in a dynamic instrumentation system. The exploits are analyzed and different security strategies are discussed. We then show how the instrumentation framework can implement an online protection mechanism against each class of attack vectors. Observable Attack Vectors Stack Overflow A limited buffer is (over) flown with user-data and over writes data on the stack (e.g., the return instruction pointer). Format String Attack An attack can write to an arbitrary address (e.g., the return instruction pointer or the address of a library function) if unvalidated user input is passed directly to the printf function. Return to libc Attack This attack prepares multiple stack frames that execute code sequences in libraries. The stack frame can be constructed so that (almost) arbitrary code is executed. Race Attacks / TOCTTOU Time-of-check-to-time-of-use race conditions exploit the fact that they can change values on the stack after they are checked but before they are used in the program or kernel. Integer Overflow Overflows can be triggered by using a negative integer value instead of an unsigned value. Heap Overflow A heap buffer overflow is used to overwrite function pointers or data from the memory allocator to trigger execution of arbitrary code. Code Anomalies x86_64 code is backward compatible to ia32 and in modern operating systems x86_64 and ia32 code can be mixed. The mix of different system calls makes it possible to break out of sand boxes that are not aware of all possible combinations of system calls. The exploits are detected generally whenever the program branches to the injected code or to the constructed code fragments. The program is interrupted and a debugger can be attached to analyze the state of the program. TOCTTOU attacks can be detected by observing the threads and using a specific system call architecture. Conclusion Dynamic instrumentation is an important tool to prohibit, detect, and analyze different attack vectors to running programs. Additional instrumentation guards can be used to better understand exploits. The additional layer of virtualization implemented through dynamic instrumentation can be used to detect and log bugs and is an additional line of defense against new exploits. Related Work A detailed discussion of related work is in the paper. These references here are for informational purposes only (to show how this talk was inspired) and not complete.

Authors: Mathias PayerTags: exploitingEvent: Chaos Communication Congress 27th (27C3) 2010Abstract: Unsafe languages and an arms race for new bugs calls for an additional line of defense in software systems. User-space virtualization uses dynamic instrumentation to detect different attack vectors and protects from the execution of malicious code. An additional advantage of these virtualization systems is that they can be used to analyze different exploits step by step and to extract the exploit code from a running program. This talk explains the concept of different attack vectors (stack buffer overflows, format string attacks, return to libc attacks, race attacks / TOCTTOU, integer overflows, heap buffer overflows, and code anomalies). For each of these attack vectors we show possible exploits and explain how the virtualization system is able to detect and prevent the exploit. User-space virtualization uses a binary translation framework to instrument all running code. The instrumentation works like an additional virtualization layer and makes it possible to observe any changes to the runtime datastructures (code and data) of a running program. We use fastBT to instrument and analyze different exploitable programs. The added instrumentation detects changes in runtime layout and stops the program whenever exploit code is about to be executed. This talk presents different classes of exploits that can be observed in a dynamic instrumentation system. The exploits are analyzed and different security strategies are discussed. We then show how the instrumentation framework can implement an online protection mechanism against each class of attack vectors. Observable Attack Vectors Stack Overflow A limited buffer is (over) flown with user-data and over writes data on the stack (e.g., the return instruction pointer). Format String Attack An attack can write to an arbitrary address (e.g., the return instruction pointer or the address of a library function) if unvalidated user input is passed directly to the printf function. Return to libc Attack This attack prepares multiple stack frames that execute code sequences in libraries. The stack frame can be constructed so that (almost) arbitrary code is executed. Race Attacks / TOCTTOU Time-of-check-to-time-of-use race conditions exploit the fact that they can change values on the stack after they are checked but before they are used in the program or kernel. Integer Overflow Overflows can be triggered by using a negative integer value instead of an unsigned value. Heap Overflow A heap buffer overflow is used to overwrite function pointers or data from the memory allocator to trigger execution of arbitrary code. Code Anomalies x86_64 code is backward compatible to ia32 and in modern operating systems x86_64 and ia32 code can be mixed. The mix of different system calls makes it possible to break out of sand boxes that are not aware of all possible combinations of system calls. The exploits are detected generally whenever the program branches to the injected code or to the constructed code fragments. The program is interrupted and a debugger can be attached to analyze the state of the program. TOCTTOU attacks can be detected by observing the threads and using a specific system call architecture. Conclusion Dynamic instrumentation is an important tool to prohibit, detect, and analyze different attack vectors to running programs. Additional instrumentation guards can be used to better understand exploits. The additional layer of virtualization implemented through dynamic instrumentation can be used to detect and log bugs and is an additional line of defense against new exploits. Related Work A detailed discussion of related work is in the paper. These references here are for informational purposes only (to show how this talk was inspired) and not complete.

Authors: Mathias PayerTags: exploitingEvent: Chaos Communication Congress 27th (27C3) 2010Abstract: Unsafe languages and an arms race for new bugs calls for an additional line of defense in software systems. User-space virtualization uses dynamic instrumentation to detect different attack vectors and protects from the execution of malicious code. An additional advantage of these virtualization systems is that they can be used to analyze different exploits step by step and to extract the exploit code from a running program. This talk explains the concept of different attack vectors (stack buffer overflows, format string attacks, return to libc attacks, race attacks / TOCTTOU, integer overflows, heap buffer overflows, and code anomalies). For each of these attack vectors we show possible exploits and explain how the virtualization system is able to detect and prevent the exploit. User-space virtualization uses a binary translation framework to instrument all running code. The instrumentation works like an additional virtualization layer and makes it possible to observe any changes to the runtime datastructures (code and data) of a running program. We use fastBT to instrument and analyze different exploitable programs. The added instrumentation detects changes in runtime layout and stops the program whenever exploit code is about to be executed. This talk presents different classes of exploits that can be observed in a dynamic instrumentation system. The exploits are analyzed and different security strategies are discussed. We then show how the instrumentation framework can implement an online protection mechanism against each class of attack vectors. Observable Attack Vectors Stack Overflow A limited buffer is (over) flown with user-data and over writes data on the stack (e.g., the return instruction pointer). Format String Attack An attack can write to an arbitrary address (e.g., the return instruction pointer or the address of a library function) if unvalidated user input is passed directly to the printf function. Return to libc Attack This attack prepares multiple stack frames that execute code sequences in libraries. The stack frame can be constructed so that (almost) arbitrary code is executed. Race Attacks / TOCTTOU Time-of-check-to-time-of-use race conditions exploit the fact that they can change values on the stack after they are checked but before they are used in the program or kernel. Integer Overflow Overflows can be triggered by using a negative integer value instead of an unsigned value. Heap Overflow A heap buffer overflow is used to overwrite function pointers or data from the memory allocator to trigger execution of arbitrary code. Code Anomalies x86_64 code is backward compatible to ia32 and in modern operating systems x86_64 and ia32 code can be mixed. The mix of different system calls makes it possible to break out of sand boxes that are not aware of all possible combinations of system calls. The exploits are detected generally whenever the program branches to the injected code or to the constructed code fragments. The program is interrupted and a debugger can be attached to analyze the state of the program. TOCTTOU attacks can be detected by observing the threads and using a specific system call architecture. Conclusion Dynamic instrumentation is an important tool to prohibit, detect, and analyze different attack vectors to running programs. Additional instrumentation guards can be used to better understand exploits. The additional layer of virtualization implemented through dynamic instrumentation can be used to detect and log bugs and is an additional line of defense against new exploits. Related Work A detailed discussion of related work is in the paper. These references here are for informational purposes only (to show how this talk was inspired) and not complete.

Authors: Karsten NohlLuca MeletteTags: GSMphoneEvent: Chaos Communication Congress 28th (28C3) 2011Abstract: Cell phone users face an increasing frequency and depth of privacy intruding attacks. Defense knowledge has not scaled at the same speed as attack capabilities. This talk intends to revert this imbalance. Most severe attack vectors on mobile phones are due to an outdated technology base that lacks strong cryptographic authentication or confidentiality. Given this discrepancy between protection need and reality, a number of countermeasures were developed for networks and phones to better protect their users. We explain the most important measures and track their deployment. Furthermore, we will release tools to measure the level of vulnerability of networks. Sharing the results of these measurements will hopefully create problem awareness and demand for more security by phone users around the world.

Authors: Karsten NohlLuca MeletteTags: GSMphoneEvent: Chaos Communication Congress 28th (28C3) 2011Abstract: Cell phone users face an increasing frequency and depth of privacy intruding attacks. Defense knowledge has not scaled at the same speed as attack capabilities. This talk intends to revert this imbalance. Most severe attack vectors on mobile phones are due to an outdated technology base that lacks strong cryptographic authentication or confidentiality. Given this discrepancy between protection need and reality, a number of countermeasures were developed for networks and phones to better protect their users. We explain the most important measures and track their deployment. Furthermore, we will release tools to measure the level of vulnerability of networks. Sharing the results of these measurements will hopefully create problem awareness and demand for more security by phone users around the world.

Authors: Karsten NohlLuca MeletteTags: GSMphoneEvent: Chaos Communication Congress 28th (28C3) 2011Abstract: Cell phone users face an increasing frequency and depth of privacy intruding attacks. Defense knowledge has not scaled at the same speed as attack capabilities. This talk intends to revert this imbalance. Most severe attack vectors on mobile phones are due to an outdated technology base that lacks strong cryptographic authentication or confidentiality. Given this discrepancy between protection need and reality, a number of countermeasures were developed for networks and phones to better protect their users. We explain the most important measures and track their deployment. Furthermore, we will release tools to measure the level of vulnerability of networks. Sharing the results of these measurements will hopefully create problem awareness and demand for more security by phone users around the world.

Tags: malwareDoSEvent: Black Hat Abu Dhabi 2011Abstract: A Distributed Denial-of-Service(DDoS), one of the simplest and most powerful cyber attacks is a big problem nowadays. It has existed since the past, but now attackers can give greater damage to their target due to the development of more effective attack techniques and the propagation of high-speed internet and so on. Especially DDoS attack is now getting a huge problem because the unspecified individuals(called zombie PCs) are used in loading malicious codes while attacking a single site or system. DDoS attack is directly related to targeted companies, institutions and even governments, security companies and users as well. Plus, there is a possibility of running malicious code onto many other types of electronic devices such as smart phones, game consoles, home appliances and even cars. Therefore a new type of DDos attack might be seen in various places. In this presentation, we will figure out the large-scale DDoS attacks occurred in Korea(July 2009, March 2011) with detailed analysis and reverse tracking and how defenders(Korean institutions and security companies) coped with the attack. WE WILL NOT MENTION WHO THE ATTACKER IS. Also we will show the new type of DDoS attacks (by PC, smart phone, game console and so on) through demonstration. In this demonstration, we will handle the mechanism of DDos attacks including the type of attack, damage and preparation stage as well. Finally, we will suggest a solution of this problem. *IMPORTANT* This presentation tries not to include boring stuff. It will be fun with easy explanation and interesting demonstration.

Tags: malwareDoSEvent: Black Hat Abu Dhabi 2011Abstract: A Distributed Denial-of-Service(DDoS), one of the simplest and most powerful cyber attacks is a big problem nowadays. It has existed since the past, but now attackers can give greater damage to their target due to the development of more effective attack techniques and the propagation of high-speed internet and so on. Especially DDoS attack is now getting a huge problem because the unspecified individuals(called zombie PCs) are used in loading malicious codes while attacking a single site or system. DDoS attack is directly related to targeted companies, institutions and even governments, security companies and users as well. Plus, there is a possibility of running malicious code onto many other types of electronic devices such as smart phones, game consoles, home appliances and even cars. Therefore a new type of DDos attack might be seen in various places. In this presentation, we will figure out the large-scale DDoS attacks occurred in Korea(July 2009, March 2011) with detailed analysis and reverse tracking and how defenders(Korean institutions and security companies) coped with the attack. WE WILL NOT MENTION WHO THE ATTACKER IS. Also we will show the new type of DDoS attacks (by PC, smart phone, game console and so on) through demonstration. In this demonstration, we will handle the mechanism of DDos attacks including the type of attack, damage and preparation stage as well. Finally, we will suggest a solution of this problem. *IMPORTANT* This presentation tries not to include boring stuff. It will be fun with easy explanation and interesting demonstration.

Whitepaper called Web Backdoors - Attack, Evasion and Detection. This paper provides insight on common web back doors and how simple manipulations could make them undetectable by AV and other security suits. It explains a few techniques that could be used to render undetectable and unnoticed backdoors inside web applications.

Whitepaper called Web Backdoors - Attack, Evasion and Detection. This paper provides insight on common web back doors and how simple manipulations could make them undetectable by AV and other security suits. It explains a few techniques that could be used to render undetectable and unnoticed backdoors inside web applications.

w3af, is a Web Application Attack and Audit Framework. The w3af core and it's plugins are fully written in python. The project has more than 130 plugins, which check for SQL injection, cross site scripting (xss), local and remote file inclusion and much more.

w3af, is a Web Application Attack and Audit Framework. The w3af core and it's plugins are fully written in python. The project has more than 130 plugins, which check for SQL injection, cross site scripting (xss), local and remote file inclusion and much more.

w3af, is a Web Application Attack and Audit Framework. The w3af core and it's plugins are fully written in python. The project has more than 130 plugins, which check for SQL injection, cross site scripting (xss), local and remote file inclusion and much more.

This short paper describes the trash attack which is effective against the majority of fully- verifiable election systems. The paper then offers a simple but counter-intuitive mitigation which can be incorporated within many such schemes to substantially reduce the effectiveness of the attack. This mitigation also offers additional benefits as it significantly improves the statistical properties of existing verifiable systems.

This short paper describes the trash attack which is effective against the majority of fully- verifiable election systems. The paper then offers a simple but counter-intuitive mitigation which can be incorporated within many such schemes to substantially reduce the effectiveness of the attack. This mitigation also offers additional benefits as it significantly improves the statistical properties of existing verifiable systems.

Authors: Josh PauliKyle CroninPatrick EngebretsonTags: IDSsnifferEvent: Black Hat USA 2010Abstract: Testing Intrusion Detection Systems (IDS) to ensure the most malicious attacks are detected is a cornerstone of these systems, but there is no standardized method to execute these tests. Running live exploitations is not always a viable option – especially when the rule set isn’t finalized, and clients are often nervous about the use of “hacker tools” on their networks. Furthermore, educators struggle to teach IDS concepts as a standalone principle without teaching attack methodologies at the same time. We are releasing two artifacts to help solve these problems. First we introduce PAL, a PCAP Attack Library full of individual pre-captured attack files that can be easily replayed for IDS testing and education. This library is completely preassembled, clean, and extendable to include further additions of attacks. Our initial library is created from the findings in the Common Attack Pattern Enumeration Classification (CAPEC) from the Department of Homeland Security. Second, we introduce SprayPAL, a software tool that we’ve developed to replay the PCAP attack library files. Users can send attacks to a specific target or broadcast to an entire subnet of machines. Additional features include the ability to select individual or multiple simultaneous attacks as well as provide layer 2 and 3 packet level manipulation. We conclude by presenting a methodology for capturing attacks and adding them to the public library. Both our PCAP attack library and SprayPAL tool will be released at Black Hat 2010 to the general public.

Authors: Josh PauliKyle CroninPatrick EngebretsonTags: IDSsnifferEvent: Black Hat USA 2010Abstract: Testing Intrusion Detection Systems (IDS) to ensure the most malicious attacks are detected is a cornerstone of these systems, but there is no standardized method to execute these tests. Running live exploitations is not always a viable option – especially when the rule set isn’t finalized, and clients are often nervous about the use of “hacker tools” on their networks. Furthermore, educators struggle to teach IDS concepts as a standalone principle without teaching attack methodologies at the same time. We are releasing two artifacts to help solve these problems. First we introduce PAL, a PCAP Attack Library full of individual pre-captured attack files that can be easily replayed for IDS testing and education. This library is completely preassembled, clean, and extendable to include further additions of attacks. Our initial library is created from the findings in the Common Attack Pattern Enumeration Classification (CAPEC) from the Department of Homeland Security. Second, we introduce SprayPAL, a software tool that we’ve developed to replay the PCAP attack library files. Users can send attacks to a specific target or broadcast to an entire subnet of machines. Additional features include the ability to select individual or multiple simultaneous attacks as well as provide layer 2 and 3 packet level manipulation. We conclude by presenting a methodology for capturing attacks and adding them to the public library. Both our PCAP attack library and SprayPAL tool will be released at Black Hat 2010 to the general public.

A pair of security researchers have recently unveiled an interesting new keylogging method (PDF Research Paper) that makes use of a very unlikely smartphone component, your gyroscope. Most smart phones now come equipped with gyroscopes, which can be accessed by any application at any time. [Hao Chen and Lian Cai] were able to use an Android phone’s [...]

w3af, is a Web Application Attack and Audit Framework. The w3af core and it's plugins are fully written in python. The project has more than 130 plugins, which check for SQL injection, cross site scripting (xss), local and remote file inclusion and much more.

w3af, is a Web Application Attack and Audit Framework. The w3af core and it's plugins are fully written in python. The project has more than 130 plugins, which check for SQL injection, cross site scripting (xss), local and remote file inclusion and much more.

This whitepaper describes a timing attack vulnerability in OpenSSL's ladder implementation for curves over binary fields. They use this vulnerability to steal the private key of a TLS server where the server authenticates with ECDSA signatures. Using the timing of the exchanged messages, the messages themselves, and the signatures, they mount a lattice attack that recovers the private key. Finally, they describe and implement an effective countermeasure.

This whitepaper describes a timing attack vulnerability in OpenSSL's ladder implementation for curves over binary fields. They use this vulnerability to steal the private key of a TLS server where the server authenticates with ECDSA signatures. Using the timing of the exchanged messages, the messages themselves, and the signatures, they mount a lattice attack that recovers the private key. Finally, they describe and implement an effective countermeasure.

This whitepaper describes a timing attack vulnerability in OpenSSL's ladder implementation for curves over binary fields. They use this vulnerability to steal the private key of a TLS server where the server authenticates with ECDSA signatures. Using the timing of the exchanged messages, the messages themselves, and the signatures, they mount a lattice attack that recovers the private key. Finally, they describe and implement an effective countermeasure.

Hopefully being back on blogger will allow for more and better discussions than on the drupal site and if the blind elephant guy is working on an update, hopefully this fucks up his talk and he doesn't get to call us out this year b/c Drupal sucks to update/manage.

Attack Surface Analyzer is developed by the Security Engineering group, building on the work of our Security Science team. It is the same tool used by Microsoft’s internal product groups to catalogue changes made to operating system attack surface by the installation of new software. Attack Surface Analyzer takes a snapshot of your system...

w3af, is a Web Application Attack and Audit Framework. The w3af core and it's plugins are fully written in python. The project has more than 130 plugins, which check for SQL injection, cross site scripting (xss), local and remote file inclusion and much more.

w3af, is a Web Application Attack and Audit Framework. The w3af core and it's plugins are fully written in python. The project has more than 130 plugins, which check for SQL injection, cross site scripting (xss), local and remote file inclusion and much more.

w3af, is a Web Application Attack and Audit Framework. The w3af core and it's plugins are fully written in python. The project has more than 130 plugins, which check for SQL injection, cross site scripting (xss), local and remote file inclusion and much more.

This is a pretty neat attack from the malware pushes leveraging on the ignorance of the average user – which in all honestly is a safe bet most of the time! You could consider it a Social Engineering attack as it’s taking something that’s familiar and changing it to deliver malware. I’m sure all the [...]

There seems to be a fairly serious attack being exploited in the wild that targets vulnerable ASP.Net web applications, so far there is a temporary fix but no official announcement on when a patch will be issued. The next scheduled patches should be pushed out on October 12th. If you had set up your server [...]

Akamai's Download Manager allows attackers to download arbitrary files onto a user's desktop. Using a so-called blended threat attack it is possible to execute arbitrary code. This attack affects the ActiveX control as well as the Java applet. This was fixed in version 2.2.5.4.

Akamai's Download Manager allows attackers to download arbitrary files onto a user's desktop. Using a so-called blended threat attack it is possible to execute arbitrary code. This attack affects the ActiveX control as well as the Java applet. This was fixed in version 2.2.5.4.

There has been some very clever attacks lately, especially involving browsers and the kind of data they can leak when probed the right way. The biggest press recently was generated by the history leak that occurs in most browsers. Another clever attack that got some coverage lately was tabnapping and the latest is another fascinating [...]

This is an interesting new attack, I saw a live demo of it a while back here: Tabnabbing: A New Type of Phishing Attack. All you need to do is let the page load, then browse to another tab for 5 seconds or more and you’ll see the favicon change to Gmail and the page [...]

TEHTRI-Security has released advisories discussing a stack overflow inside the iPhone iOS4 CFNetwork API, a client-side attack for BlackBerry devices, a client-side attack for HTC Windows Mobile cellphones, a client-side attack for the iPad and security issues related to trains.

TEHTRI-Security has released advisories discussing a stack overflow inside the iPhone iOS4 CFNetwork API, a client-side attack for BlackBerry devices, a client-side attack for HTC Windows Mobile cellphones, a client-side attack for the iPad and security issues related to trains.

Authors: Thai DuongJuliano RizzoTags: web applicationcryptographycrackingEvent: Black Hat EU 2010Abstract: In 2009, we released a paper on MD5 extension attack ([1]), and described how attackers can use the attack to exploit popular web sites such as Flickr, Vimeo, Scribd, etc. The attack has been well-received by the community, and made the Top Ten Web Hacking Techniques of 2009 ([2]). In the conclusion of that paper, we stated that we have bexen carrying out a research in which we test-run a number of identified practical crypto attacks on random widely-used software systems. To our surprise, most, if not all, can be attacked by one or more of well-known crypto bugs. In this talk, we present the latest result of that research, where we choose another powerful crypto attack, and turn it into a new set of practical web hacking techniques. We show that widely used web development frameworks and web sites are using encryption wrongly that allow attackers to read and modify data that should be protected. It has been known for years in cryptography community that encryption is not authentication. If encrypted messages are not authenticated, data integrity cannot be guaranteed which makes systems vulnerable to practical and dangerous chosen-ciphertext attacks. Finally, we list several popular web development frameworks and web sites that are vulnerable to Padding Oracle attacks, including, but not limited to, eBay Latin America, Apache MyFaces, SUN Mojarra, Ruby On Rails, etc. These are all 0-day vulnerabilities. We show that even OWASP folks can't get it right, how can an average Joe survive this new class of vulnerabilities? We strongly believe that this is just the tip of the iceberg, and the techniques we describe in this research would uncover many more vulnerabilities for years to come.

Authors: Thai DuongJuliano RizzoTags: web applicationcryptographycrackingEvent: Black Hat EU 2010Abstract: In 2009, we released a paper on MD5 extension attack ([1]), and described how attackers can use the attack to exploit popular web sites such as Flickr, Vimeo, Scribd, etc. The attack has been well-received by the community, and made the Top Ten Web Hacking Techniques of 2009 ([2]). In the conclusion of that paper, we stated that we have bexen carrying out a research in which we test-run a number of identified practical crypto attacks on random widely-used software systems. To our surprise, most, if not all, can be attacked by one or more of well-known crypto bugs. In this talk, we present the latest result of that research, where we choose another powerful crypto attack, and turn it into a new set of practical web hacking techniques. We show that widely used web development frameworks and web sites are using encryption wrongly that allow attackers to read and modify data that should be protected. It has been known for years in cryptography community that encryption is not authentication. If encrypted messages are not authenticated, data integrity cannot be guaranteed which makes systems vulnerable to practical and dangerous chosen-ciphertext attacks. Finally, we list several popular web development frameworks and web sites that are vulnerable to Padding Oracle attacks, including, but not limited to, eBay Latin America, Apache MyFaces, SUN Mojarra, Ruby On Rails, etc. These are all 0-day vulnerabilities. We show that even OWASP folks can't get it right, how can an average Joe survive this new class of vulnerabilities? We strongly believe that this is just the tip of the iceberg, and the techniques we describe in this research would uncover many more vulnerabilities for years to come.

Authors: Vikram PhatakTags: antivirusvulnerabilityIDSEvent: Source Conference Boston 2010Abstract: What you don’t know can hurt you. NSS Labs will share research findings from our analysis of the attack and potential variants, along with a breakdown of security vendor approaches to protecting against these types of threats. Includes discussion of what security vendors are not covering that could prevent the next big attack. Vikram Phatak is CTO and leads the research team at NSS Labs. Mr. Phatak has over 15 years of experience in computer, network, and information security. Prior to joining NSS Labs, Mr. Phatak was CTO of Trustwave, founded and was CTO for an intrusion prevention product company, was chief security architect for a Fortune 500 company, and started one of the first Internet service providers in 1994.

Authors: Nick DePetrilloDon BaileyTags: GSMphonelocatingEvent: Source Conference Boston 2010Abstract: Using new resources in concert with new and old telephony tricks, the speakers have been able to successfully track users of GSM mobile phones without direct access to SS7. Though, initially, the granularity of the location information was not fine enough, the speakers have been able to develop effective techniques to supplement the location data. Augmenting this attack is the ability to learn a target user's mobile phone number without the user's knowledge, enhancing the passive nature of the attack. The speakers will elaborate on new real world attack vectors that make these threats both credible and practical. GSM location data in the US is private. However, unscrupulous providers have exposed this data to an international audience, allowing anyone access to this information for a price. The researchers will elaborate on the technical details of how and why the above attacks work, what solutions are possible, and how users can protect themselves.

There’s been a lot of highly technical and most theoretical attacks lately, academic season really is in full swing. This is a very neat attack which is being labeled somewhere between catastrophic and mildly annoying depending on who you ask.
It effects most of the major Anti-virus vendors, it’s called an argument-switch attack and...

fuzzdb is a comprehensive set of known attack pattern sequences, predictable locations, and error messages for intelligent brute force testing and exploit condition identification of web applications.
Many mechanisms of attack used to exploit different web server platforms and applications are triggered by particular meta-characters that are...

This is not the first time Apache.org has been hacked, it was comprised back in September 2009 using SSH keys.
This time another targeted attack against the site was successful and allowed the attackers to capture the passwords of users logging into the bug-tracking service. It also exposed the entire password list, which sadly although hashed...

Does anyone know of a freely available pcap "attack library" which could be run through TCPreplay? Specifically, I'd like the ability to select either specific individual or multiple-simultaneous attacks and send those attacks down the wire.

I've run some searches but haven't come up with anything yet---thought I would post here before I start building it out myself.

Another interesting attack, rather than going after the PC/Server this one goes after the data sent by wireless devices such as the wireless keyboards sold by Microsoft. The neat thing is by using a replay attack you could also send rogue inputs to the device.
But then it serves Microsoft right for using XOR encryption for [...]

When the attacker not associated with a WPA or WPA2 station and finds a client that is on one of these types of stations. The attacker can still find useful information in the packets such as Google search terms among other things.

Attack Simulation and Threat Modeling is a book that explores the abundant resources available in advanced security data collection, classification, processing and mining. It attempts to give insight into a number of alternative methods of security and attack analytics that leverage methodologies adopted from various other disciplines in extracting valuable data to support security research work and chart a course for enterprise security decision making.

Authors: Qin LiuSebastien SaugeTags: cryptographyquantum cryptographyEvent: Chaos Communication Congress 26th (26C3) 2009Abstract: This presentation will show the first experimental implementation of an eavesdropper for quantum cryptosystem. Although quantum cryptography has been proven unconditionally secure, by exploiting physical imperfections (detector vulnerability) we have successfully built an intercept-resend attack and demonstrated eavesdropping under realistic conditions on an installed quantum key distribution line. The actual eavesdropping hardware we have built will be shown during the conference. Quantum cryptography, as being based on the laws of physics, was claimed to be much more secure than all classical cryptography schemes.(Un)fortunately physical hardware is not beyond of an evil control: We present a successful attack of an existing quantum key distribution system exploiting a photon detector vulnerability which is probably present in all existing devices. Without Alice and Bob losing their faith in their secure communication, we recorded 100% of the supposedly secret key. Single photon detectors based on passively quenched avalanche photodiodes are used in a number of quantum key distribution experiments. A vulnerability has been found in which these detectors can be temporarily blinded and then forced to produce a click [1]. An attack exploiting this vulnerability against a free-space polarization based quantum cryptosystem [2,3] is feasible. By controlling the polarization of a bright beam the eavesdropper Eve can force any detector of her choice to fire in the legitimate receiver Bob, such that she gets a full control of it without introducing additional errors. This allows Eve to run an intercept-resend attack without getting caught, and obtain a full copy of the transmitted secret key. We have fully demonstrated this attack under realistic conditions on an installed fiber optic quantum key distribution system. The system uses polarization encoding over 290 m of optical fiber spanning four buildings. A complete eavesdropper has been built, inserted at a mid-way point in the fiber line, and 100% of the secret key information has been recorded. Under attack, no significant changes in the system operating parameters have been observed by the legitimate users, which have happily continued to generate their 'secret' key.

Authors: Qin LiuSebastien SaugeTags: cryptographyquantum cryptographyEvent: Chaos Communication Congress 26th (26C3) 2009Abstract: This presentation will show the first experimental implementation of an eavesdropper for quantum cryptosystem. Although quantum cryptography has been proven unconditionally secure, by exploiting physical imperfections (detector vulnerability) we have successfully built an intercept-resend attack and demonstrated eavesdropping under realistic conditions on an installed quantum key distribution line. The actual eavesdropping hardware we have built will be shown during the conference. Quantum cryptography, as being based on the laws of physics, was claimed to be much more secure than all classical cryptography schemes.(Un)fortunately physical hardware is not beyond of an evil control: We present a successful attack of an existing quantum key distribution system exploiting a photon detector vulnerability which is probably present in all existing devices. Without Alice and Bob losing their faith in their secure communication, we recorded 100% of the supposedly secret key. Single photon detectors based on passively quenched avalanche photodiodes are used in a number of quantum key distribution experiments. A vulnerability has been found in which these detectors can be temporarily blinded and then forced to produce a click [1]. An attack exploiting this vulnerability against a free-space polarization based quantum cryptosystem [2,3] is feasible. By controlling the polarization of a bright beam the eavesdropper Eve can force any detector of her choice to fire in the legitimate receiver Bob, such that she gets a full control of it without introducing additional errors. This allows Eve to run an intercept-resend attack without getting caught, and obtain a full copy of the transmitted secret key. We have fully demonstrated this attack under realistic conditions on an installed fiber optic quantum key distribution system. The system uses polarization encoding over 290 m of optical fiber spanning four buildings. A complete eavesdropper has been built, inserted at a mid-way point in the fiber line, and 100% of the secret key information has been recorded. Under attack, no significant changes in the system operating parameters have been observed by the legitimate users, which have happily continued to generate their 'secret' key.

Tags: cryptographyAbstract: In this paper, we study the existence of multicollisions in it- erated hash functions. We show that finding multicollisions, i.e. r-tuples of messages that all hash to the same value, is not much harder than finding ordinary collisions, i.e. pairs of messages, even for extremely large values of r. More precisely, the ratio of the complexities of the attacks is approximately equal to the logarithm of r. Then, using large multi- collisions as a tool, we solve a long standing open problem and prove that concatenating the results of several iterated hash functions in or- der to build a larger one does not yield a secure construction. We also discuss the potential impact of our attack on several published schemes. Quite surprisingly, for subtle reasons, the schemes we study happen to be immune to our attack.